TrueCrypt forum gone? (TrueCrypt either stopped development or was hacked?)

Discussion in 'privacy technology' started by Palancar, May 28, 2014.

  1. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    67
    Location:
    USA
  2. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    Riiight, because computer programmers who contribute code to open source projects are totally the types to be out getting drunken lap dances in Times Square.

    And for that matter,
    ..15 minutes before the end of a year in what time zone? The programmer who submitted it is based in Germany.

    And finally, and most importantly: as if when it was submitted makes the slightest difference. Obviously submissions are just that...submissions. They go through review and changes are rejected or adopted all the time. Sure, obviously Heartbleed was a serious miss, but the change wasn't adopted until 3 months after it was submitted.

    It's not as if changes get submitted and then implemented immediately, or even in the same week.

    OpenSSL is not Wikipedia.

    I'd try again. I don't think your citation even counts as circumstantial evidence, let alone something that even begins to suggest foul play.
     
  3. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    From page 8 of this thread:

    https://www.wilderssecurity.com/thre...opped-development-or-was-hacked.364391/page-8

    Like he says, you can easily do an Internet search for the hash values and see what comes up. If you find the exact same hash being reported for the exact same file all over the web, (particularly from times around when it was released or before you were suspicious), and no one it saying it's not accurate, I think it's safe to say it's legit.
     
  4. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    67
    Location:
    USA

    Ok, sounds reasonable.
     
  5. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,184
    It was an image file that was posted. I think it pertains to v 7.2 ? N.S.A. (not secure as)

    I've never installed TrueCrypt v 7.2 on my system.
     
  6. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,616
  7. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    Yet the fact remains : It was exactly that submission enabling TLA's to do what they did with it, no ?
    As for the submission-time :
    '11:59pm on New Year's Eve, 2011' source : Robin Seggelmann here :
    http://www.theguardian.com/technology/2014/apr/11/heartbleed-developer-error-regrets-oversight

    As for the 'review' of submissions : Great job they did !

    The fact remains that time and time again all these 'secure' things turn out to be exactly the opposite . I have a rather low limit for how many 'errors', 'bugs' and 'coincidences' I can accept before starting to think 'hmmmmm' .

    PS : Robin Seggelmann also does work for 'a large German tele-company' .
     
    Last edited: Jun 25, 2014
  8. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi

    2014 is with no doubt the year of Crypto...

    This might help http://www.truecrypt71a.com/ http://www.truecrypt71a.com/download
    Nothing new in this German site that has not been said before.

    More over this unique page dated from 2013/08 http://truecryptcheck.wordpress.com/

    Double doubt (TC and its hashes)...enouh is enough...like playing Russian roulette and puppets...

    If i have chance, discussion with Tails guys would be interesting https://tails.boum.org/blueprint/HackFest_2014_Paris/

    Rgds
     
  9. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Infiltration as a tactic has been going on ever since organized civilization. Unless you are in complete denial, or more than likely are just trying to be contrary here because you have a bone to pick with me, you'd acknowledge this as common knowledge (and sense). But evidence (of any type) is rather hard to come by when it comes to 3 letter agencies and said infiltrators. Your stance (asking for it to be provided) is conveniently the much easier one to take up.

    Just plain false?... What I said was just plain true. It is fact. In that case there's far more than circumstantial evidence to support it. It's well documented. I really don't understand how you can even attempt to refute this. Unless again you're trying to hang everything on one word I could have chosen better (perhaps inherent flaws would have been better terminology than "gaping holes". Or it was 9 years and 11 months instead of a decade?).

    And I hardly used it as the sole, or even main arguing point. It was but one of many, many things in those many threads, some of which more resembled novels, and one I'd consider of less importance than most I made.

    Be honest/objective here... you're just trying to be contrary for the sake of it now, because you have a grudge. You even know that what you're saying isn't accurate.
     
  10. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    It's not just you. In fact, it's anyone with an ounce of common sense... or that isn't just on a mission to be contrary and isn't truly being remotely objective about this at all. Or a schill...
     
  11. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Well said. Firefox began this vicious cycle starting with v4. I remember staying with v3.6 for the longest time... and it worked GREAT! Ever since then they've been rolling out new versions at warp speed. As you say, faster than anyone can possibly keep up with combing through the code to verify the integrity of the changes (and perhaps that's by design?) I hated when they changed to that update cycle... and I still hate it.

    For me v28 is the last mohican. It's the new 3.6 for me, and I think will be for a lot of people. I will sit here on my XP Pro using it, alongside Comodo FW/D+ 5.10, TrueCrypt 7.1 (no "a"), Sandboxie 3.76, and Shadow Defender 1.1.0.325. Use my CCleaner 3.28 to clean things up once in awhile. And go on this way until I get a compelling reason not to anymore. And the rest of the industry can have their "shiny new things"...
     
  12. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Not sure how carefully his input/work was reviewed, but the rest is accurate, yeah. And as was even mentioned in the thread drawing people's attention to the situation (and demonstrated many times in real world situations)... someone very skilled/clever can still hide backdoors & otherwise shady things into the code and have it evade the eyes of auditors... who are almost always understaffed, underpaid, underappreciated, and under-slept... as they stare at that code for hours with weary eyes you're bound to let things slip past.
     
  13. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I'll continue to use 7.1, for reasons I mentioned before in here. Albeit very vague, minor things, and largely intuition alone. I don't like that "a" at all either, part of the 3 letter agency in their supposed hidden message. Why not just name that version 7.2 instead? It may just be paranoia in this case, but I figure, why take the risk? There's not much different between the two anyway... nothing that matters to me. I feel safer with the normal 7.1

    Just my 2 cents
     
  14. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,186
    Lucid, your reasoning made sense to me so I downgraded to FF28. For TC, I DL'd the "a" version but its not installed. Where would be the safest place to get the installer for 7.1.

    Edit to say: I think it was FF 3.5 ...I arm wrestled with it to I stayed on it until the bitter end. I think it was the last version to have the Cache files in one Folder. Youre right, since then its just update after update.
     
    Last edited: Jun 25, 2014
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    @luciddream
    We have much the same views on these matters. We have different preferences for operating systems and applications but almost identical reasons for staying with those we prefer. I was using XP part time for a while, primarily for an online game I enjoyed. 98 was still my primary system. When I decided to operate a Tor exit, my XP install wasn't up to the task. The longest it would run was about 2 days before crashing. When I tried Tor on the same PC running my modified 98 system, it ran for 2 weeks before showing any instability problems. Except for being able to run the most current browsers, the XP install gave me nothing that 98 couldn't do just as well. With the direction that current browsers are going, I had no incentive to update them and several reasons not to. Most of the desirable features of the newer browser versions were available as extensions. With those, I had a choice as to which features I wanted, none of which call home as a result.

    My choice of 98 over XP is for very similar reasons. It's not what 98 offers that XP doesn't. It's what 98 doesn't have by default. Things like:
    UPnP and ICS installed and enabled by default,
    Remote registry service, enabled by default
    RPC as a core service,
    A file system (NTFS) that hides data (and malware) from the user in alternate data streams,
    A registry that stores usage info dating back years in multiple locations, example ShellBags
    Unnecessary services that open ports, waste system resources, and store usage tracks.

    With routers being found vulnerable and exploitable, some by design, UPnP is a potential security disaster. I expect that very soon we'll find that UPnP is and has been exploitable for years. When Windows updates change services settings without the user knowing, how much can one rely on just disabling UPnP? On 98, UPnP is an optional install, not a service running by default. The same applies to Internet Connection Sharing (ICS). If I want these, I'll install them. On 98, there are no ShellBags or similar items in the registry. The usage tracks stored by 98 are minimal. On XP, the user can't back up and restore the registry without using 3rd party tools or doing a full system restore. I suspect that this is deliberate to prevent the easy deletion of usage tracks. On 98, the necessary registry are part of the OS. On 98, I can access and edit every file and directory on the system using built in tools. XP won't allow that without 3rd party tools or a separate OS, especially if you count alternate data streams. On 98, if I disable the NETBIOS ports (an easy configuration change), I can connect directly to the internet without a firewall or router and not expose any open ports. On XP, one can disable and remove several services and get all of the open ports closed. It takes quite a bit of work and then one has to monitor those services to make sure that an install or update doesn't re-enable any of them. On Vista and newer, the user doesn't have that ability. Without a router, those operating systems are exposed. It amazes me that an operating that requires a built in software firewall and a router to protect it from unsolicited inbound traffic is considered more secure from intrusion than one that requires neither.

    Regarding encryption software, IMO this newer is better mentality is dangerous, not just with the software and how often it's updated, but also the ciphers. With AES for instance, the reasons it's recommended are
    1, It's the standard.
    2, It's newer than others which were never broken
    3, It's been subjected to more testing.

    Nowhere was it ever claimed to be stronger. It was selected as the standard more for performance reasons than strength. Add to that the following:
    The NSA was involved in choosing the standard. The NSA is subverting encryption software, standards, and hardware at every opportunity. One of the primary purposes of their new data centers is breaking encryption. Obviously the bulk of their efforts will be aimed at the most commonly used encryption, the standard, AES. Why use something that they'd obviously target when other equally strong options are available?

    Regarding TrueCrypt, IMO there's a permanent cloud over it that's not going to go away. As much as I'd like to see the audit results, I question if we can trust it. If the developers were found and coerced, detained, threatened, or whatever, how can one think that the auditor hasn't also been targeted? Any information we get from this time forward regarding TrueCrypt will be impossible to verify for accuracy. Whether one should use it or not has become a question of trust. Luciddream, in this matter, I suspect that your choices would be the way to go for those staying with TC. IMO, the available 3rd party tools and the ability to strip out the excess from XP are sufficient enough to secure it. The wording of the TC page makes me believe that anything newer can't be trusted. I was planning on trying out TC on a virtual system when time permitted. After everything that's happened, I'll stay with what I've been using.
     
  16. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
  17. guest

    guest Guest

    Anyone has used DiskCryptor? is really a replacement for TC or it has more features? can I assume that both are equally safe? (without taking into account the latest news about TC)
    Can I open with DC volumes created with TC and viceversa?
     
  18. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I have a different take on this part. For one thing these govt. institutions use AES themselves, so they must know it's secure. I find it more likely that they realize was made to be secure, and they're trying to push other things that are supposedly bigger & better (newer) these days and convince people that it's "stronger" than AES. Things like Blowfish, etc... And also why they want to move people away from CBC to GCM, to the elliptic curve and away from signing with RSA. Out with the old... in with the new, is what they're pushing.

    But yeah totally agree with everything else you said really. We look at things very much the same way. Are you using 98SE, or just plan 98? I loved 98SE too... so much so that I skipped Win2K altogether and even waited until XP put out SP2 until upgrading to it from 98SE. Because I found XP SP2 to be a very good OS as well.
     
  19. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    You may be thinking of FF 3.6... after that dramatic changes were made to to starting with v4, and some people are still on 3.6. I stuck with it too for awhile, but then starting with v8 (I believe) there was a change that really added privacy to the browser I wanted to take advantage of (user agent string), so I upgraded. And it was noticeably more responsive than 3.6 and a great browser. I tried 4 and hated it, but by 8 they had the kinks worked out in FF's new face it seemed. So I'd recommend anyone still on 3.6 to go ahead and update all the way to v28.0.

    Not only do I not trust anything from v29 on... I found it to be less responsive and crash prone as well.

    As for TrueCrypt 7.1... if you can't find an installer for it PM me and I'll upload it to 4Shared and provide you a link to it.
     
  20. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,186
    Its a while ago now but Im pretty sure 3.6 was the 1st version to have those multiple Cache Folders. I downgraded to 3.5 and stuck it out til the bitter end. Anyway Im on 28 now.

    I found TC 7.1 on an UK IT site..... xxx.v3.co.uk/v3-uk/download-review/1955092/truecrypt . The server (creativemark.co.uk) I DL'd from didn't try and use a funky installer loaded with who knows what, and there didn't appear to be any diversions or excess baggage with the DL. Still, I'm wary these days. How would I verify this DL is safe? Anyway, its still sitting in Sandboxie.

    Thanks for the offer Luciddream, I checked out 4Shared and it looks like they require you to register. Don't want to do that. Also saw some reviews on it and some people said they got scumware off it. Others said they didn't.

    A bit off topic, but just saw Ronjors post ...

    https://www.wilderssecurity.com/thre...ing-project-seeks-to-obscure-metadata.365784/

    If they pull this off, it would be nice to be able to send encrypted files anonymously even between the sender and receiver. In light of how dire things have become concerning privacy and security, I'm sure we'll be looking for things like this to circumvent this blight.
     
  21. _Owl_

    _Owl_ Registered Member

    Joined:
    Jun 19, 2014
    Posts:
    8
    Have you ever read Comodo's EULA? I guess not. You agreed that they are collecting your data without your knowledge. :D
    Or why do you guess, does a SECURITY software scan your HD for multimedia files and categorizes them for you? For your security? :D
    You have given them explicit access to your system and you agreed that they collect your data!

    Have you ever read the Comodo forums? To me it's obvious that there are a lot of fake accounts, making people believe it was their software that makes the computer safe - not the user. And that normal Virus scanners were useless and only the 24/7 online control of Comodo was offering security. :D

    When I see how this kind of (free) security-software has been developed to take control away from the user ( the free AVs in the first instance became successful because they were slim and fast, compared to the Symantec-NSA bloatware), make him stay connected all the time, analyze everything he is doing (ofcourse only to make the product "better") then I know there is something fishy going on.

    Look, how every keygen or crack is immediately moved on their blacklist, and it stays there, although it is NOT a troyan or a virus and even if the heuristics are switched off.

    The same companies do not educate their customers what they should avoid not to become infected.

    For example I find it ridiculous that my Avira AV wants to check my emails and surfing and that someone must be half a computer expert to reach all the menues to switch all the data collecting garbage off.

    It reminds me of the time, when Facebook suddenly became a "social network". It has nothing to do with social, it doesn't bring people together, but it is the biggest private data collecting machine, the CIA has ever dreamt about (according to the CIA chief's own words) - but suddenly the mainstream media spun this insanity to share privte things publicly as totally cool and normal and the sheeple have been following.
     
    Last edited: Jul 13, 2014
  22. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,604
    Location:
    European Union
    Are you sure you are talking about Comodo FW v.5 ? Because it does nothing of this sort on my computer...
     
  23. _Owl_

    _Owl_ Registered Member

    Joined:
    Jun 19, 2014
    Posts:
    8
    I'm not sure if this was about the FW since I was researching a backup solution for encrypted drives.
    But I guess with their EULA it doesn't matter anyway... :D
     
  24. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Just a thought here, to kind of reverse think this whole issue. If for a moment we assume the developers did post the information that true crypt is not secure and that we should use BitLocker. It is possible the developers know something we don't about the operating systems it is designed for?
    The TrueCrypt documentation states TrueCrypt is not secure if any kind of malware is already installed on the system. What if the developers became aware such TrueCrypt busting "malware" is now built into Windows itself ?
    We know there has been a string of cases where TrueCrypt prevented law enforcement from retrieving information from a suspects computer, that together with the paranoia of the NSA it is easy to see TrueCrypt would be considered a problem for them. They could not coerce the developers to compromise the security of TrueCrypt because it is open source and any such changes would be visible by scrutiny so what would they do ?
    Another option might be to pressure Microsoft to find a way to defeat TrueCrypt and build it into Windows. If that were the case it might explain why the developers would tell us to use BitLocker instead. They could be giving us a clue to what happened.
    We know we can only trust BitLocker up to the level of Microsoft because it is closed source so from a security point of view we must assume Microsoft has access. If the TrueCrypt developers are saying TrueCrypt == BitLocker there is really only one conclusion to be drawn from that.
     
    Last edited: Jul 16, 2014
  25. brians08

    brians08 Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    100
    To take this a step further, think of the Microsoft business position to explain why Bitlocker might still be secure. Imagine the NSA going to Microsoft and demanding a backdoor to Bitlocker. Complying with this would put Microsoft's entire business into question. Microsoft is actually making some sort of guarantee that their encryption provides data security. If a NSA backdoor is discovered, Microsoft gets slammed with lawsuits from angry customers and looses hundreds of millions of dollars.
    If instead, Microsoft adds some special tweaks to Windows that just happen to compromise the security of TrueCrypt well, oops! Microsoft would have no liability for some subtle interaction between a new security update and third party free software. If the NSA were assisting, there would be no trail of evidence to prove it was intentional.
    Now with TrueCrypt pulling the plug, if the above is true, where does this leave the NSA? Back to pressure Microsoft to backdoor Bitlocker?
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.